Can HR Help to Manage the Impact of Cyber Attacks?

Data protection – more specifically the consequences of a cyber-attack on data – has been on my mind recently. Like all businesses I take steps to protect the data we hold and am advised by experts on what’s appropriate and necessary to do so. The knowledge of the combination of the increasing sophistication of cybercrime and the forthcoming General Data Protection Regulation (GDPR) which comes into force in May 2018 has necessitated a further review.

Yesterday I was talking to a specialist in cyber security, Tony Dimech of Layer8 Ltd (www.layer8ltd.co.uk). He told me that unless you’re really on top of your game any business can find itself in the position of watching the brand it has worked so hard to create being taken to its knees by a cyber breach. It’s not just that your data can be held to ransom and it can all end up very unpleasantly and messily in the public domain.

A recent report (Consumer Study on Aftermath of a Breach – Ponemon Institute) suggests that data breaches are among the top three types of incidents that affect brand reputation, and consumers often expect compensation after a security compromise.

Tony gave this as an example. A portrait photographer shoots three big weddings over a weekend. There is a cyber-attack and all her photos are held to ransom. Unless the photographer pays up all three brides and their families will have no photographs. Since images form part of personal data under the Data Protection Act, not only have they not got a visual record of their big day, the three couples may well also demand compensation in consequence of the legal breach. No doubt they will also tell the other wedding guests and suddenly it’s all over Facebook and Twitter.

While you should undoubtedly ramp up your anti-cyber-attack precautions you should also have a data breach communication management plan. Trying to work out how to manage the crisis while it’s still taking place is not ideal. Planning for the worst now will save you time later when you’re deciding how to respond if you face the nightmare of a security breach.

Here are some key elements in managing the communication process in the event of a cyber-attack.

Decide who in the business is best suited to handle the breach and form a crisis communication team.

Outline the team roles and identify the decisions around communication that they can make in real time.

Take an inventory of your data assets and potential risks, and conduct an impact assessment.

Consider the kind of attacks that make you most vulnerable, anticipating the potential goals of a hacker.

Determine exactly what you are legally required to disclose, and assess brand impact based on both legal implications and public opinion optics before deciding on a proactive and/or reactive communication approach.

To manage external publicity work identify specialists in crisis management and communication who can be an extension of your internal team so that if a data breach happens, they will already be on board.

Identify which people in your business are best suited to be spokespeople for which audiences. Make sure that they are trained.

Determine what messages you will issue and when, from your first disclosure through to the final investigation. It can take a long period for the full consequences of a breach to be known. You may not be able to wait to disclose information or respond until all the facts are known. Consider what to say about the proactive steps you are taking based on the nature of the incident and what customers or those affected need to do and how you intend to help them.

Decided on a brand management communication plan. This includes creating a plan to work with your employees, your most influential customers, industry analysts, journalists, broadcast networks, investors, and partners.

After the event, communicate what was learned and what was done to improve security as a result. Make sure employees and major stakeholder audiences are provided with regular updates.

What are your “crown jewels”? I.e. where are you most vulnerable? What can happen if your security is breached? What legal risks do you face? What commercial risks do you face? Will your business survive a cyber-attack and data breach, especially if there’s public concern?

All businesses can be affected by cybercrime and we’ll all be affected by the GDPR. But the fact is that many businesses have not yet woken up to its existence or implications. Both in general business and as HR terms you will be affected. Now’s the time to look at it. Your brand and your company’s livelihood may depend upon it.

We deal with the good, the bad and the ugly of HR. If you need help sorting out HR problems, building your dream team or any other HR issues, give us a call on 01908 262628.